doudaochu1699 2018-06-26 19:47
浏览 65
已采纳

我的服务器端PHP在reCaptcha(数百垃圾邮件)之后仍然被黑客入侵

My previous question on StackOverflow was about that someone was sending me hundreds of spam emails every few hours. Now, I fixed the script on the server side but the next morning I still got 30 emails or something and my hosting company gave me a new password to my FTP and moved my index files to a backup map(website offline), they said it was hacked because of the suspicious script below. They said "This often happens via a leaked script in your website, a script that is "out of date". What does that mean? They say in the email that there is something with this script file. Which is impossible to hack in right because I used reCaptcha on the server side, is there something missing?

<?php

if(isset($_POST['g-recaptcha-response'])){
      $captcha=$_POST['g-recaptcha-response'];


      }


/* OUTCOMMENTED CODE BELOW DOESN'T LET FORM SEND IF EVERYTHING IS CHECKED???? 


    if(!$captcha){
          echo '<h2>Check captcha .</h2>';
          exit;
        }*/



    $response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=(SECRETKEY)&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
            if($response.success==false)
            {
                echo '<span id="status" style="font-size:1vmax;color:red;">ReCaptcha ERROR</span>';
            }else
            {

        if( isset($_POST['n']) && isset($_POST['e']) && isset($_POST['mn']) && 

isset($_POST['m']) ){
        $n = $_POST['n']; // HINT: use preg_replace() to filter the data
        $e = $_POST['e'];
        $mn = $_POST['mn'];
        $m = nl2br($_POST['m']);
        $to = "gesternl@gester.nl"; 
        $from = $e;
        $subject = 'Contact Formulier-eng';
        $message = '<b>Naam:</b> '.$n.' <br><b>Email:</b> '.$e.' <br><b>Mobiel-nummer:</b> '.$mn.' <p>'.$m.'</p>';
        $headers = "Van: $from
";
        $headers .= 'MIME-Version: 1.0' . "
";
        $headers .= 'Content-type: text/html; charset=iso-8859-1' . "
";
        if( mail($to, $subject, $message, $headers) ){
            echo "success";
        } else {
            echo "The server failed to send a message. Please try again later. Thank you!";
        }
    }
        }
    ?>

I just uploaded it again to see what is going to happen now. Can someone please help me make this file secure for a hacker. Nobody really helped in the previous question but only gave advice without code (and I am nooby).

(The outcommented code around line 8 doesn't work which i don't understand, does someone know why is that why someone can hack into it maybe?)

And yes the code in the HTML for recaptcha is well linked with the public key

  • 写回答

3条回答 默认 最新

  • doushou7169 2018-06-26 20:28
    关注
    1. You've to sanitizing user input as said @kevin Cai

    2. You've an error in line: if($response.success==false)

      $response=file_get_contents("......");

$result = json_decode($response);

if($result->success==false){
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 教务系统账号被盗号如何追溯设备
  • ¥20 delta降尺度方法,未来数据怎么降尺度
  • ¥15 c# 使用NPOI快速将datatable数据导入excel中指定sheet,要求快速高效
  • ¥15 再不同版本的系统上,TCP传输速度不一致
  • ¥15 高德地图点聚合中Marker的位置无法实时更新
  • ¥15 DIFY API Endpoint 问题。
  • ¥20 sub地址DHCP问题
  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式